SCONE Configuration and Attestation Service (CAS)

SCONE CAS manages an application's secrets. The application is in complete control of the configuration data: only services which are given explicit permission by the application's policy will get - after a successful attestation and verification - access to keys, encrypted data, encrypted code, and configuration data.

Key Generation. SCONE CAS can generate keys on behalf of an application. It creates the keys inside an enclave, i.e., inside a trusted execution environment.

Policy Control. A security policy governs access to keys. The application owner is in control of this policy. The application owner is in full control of the access to the policies and hence, the keys. Neither root users nor SCONE CAS admins can access the keys or security policies.

Secure Configuration. Keys and configuration data are provisioned without the need to change the source code of applications: secrets, keys, and configuration parameters are securely supplied via command line arguments, environment variables, and transparently encrypted files.

Attestation and Verification. SCONE CAS always executes inside enclaves and can be attested by clients.

Isolation. Users can run separate instances of SCONE CAS, i.e., one can isolate the secrets of different users and the secrets of various applications. Namespaces permit to isolate the policies of different users and applications when using the same SCONE CAS instance.

Access control. To modify or read a policy, a client needs to prove, via TLS, that it knows the private key belonging to a public key specified in the policy. SCONE CAS grants - without any exception - only such clients access to this policy. The client's access to a private key is typically also controlled by a policy - possibly, even the same policy. Note that only after a successful attestation will a client can get access to its private keys.

Management. The management of SCONE CAS can be delegated to a third party. CAS itself ensures the confidentiality and integrity of the policies and their secrets. Since the entity creating a policy has complete control over who can read or modify this policy, no admin managing SCONE CAS can overwrite the application's access control to a policy.

Peer-to-Peer operation: SCONE CAS supports peer-to-peer based attestation of services operated by mutually distrusting peers.

Attested and Encrypted Code. In managed languages like Python and Java, SCONE CAS attests and verifies the Python engine/the JVM and the Python code / Java code.

Air-gapped operation. SCONE CAS and the confidential applications can run air-gapped. (This feature is available starting SCONE 5.8)

Firewall. SCONE CAS can limit the network communication of an application. When enabled in the policy, only explicitly permitted network communication is allowed. (This network shield feature is available starting SCONE 5.8)